BYOD In Defense Department? Not In This Lifetime

Large bureaucracies, whether public or private, have a variety of ways to effectively avoid adopting a popular policy or practice. One way is to make that policy or practice a long-term goal while promising to keep evaluating it periodically.

That's what the Defense Department has done with its BYOD -- bring your own device -- policy.

There's no question that the department has made strides on mobility, enterprise mobile device management, and the use of commercial devices and even General Services Administration contracts. But BYOD?

Here's what Defense CIO Teri Takai said about BYOD in a February 2013 memo on commercial mobile device (CMD) implementation:

"Despite the benefits, existing DOD policies, operational constructs, and security vulnerabilities currently prevent the adoption of devices that are unapproved and procured outside of official government acquisition." The memo said that BYOD is a long-term objective and, "in conjunction with the Digital Government Strategy, DOD will continue to evaluate BYOD options."

Based on public comments from the CIO's office since then, it's fair to say that the DOD's position hasn't changed. In other words, when it comes to BYOD, don't hold your breath. Although the department officially holds out the possibility of a future BYOD policy, I don't see it happening in reality, at least not in the foreseeable future.

Why? The risk of security breaches are simply too great and the consequences too dangerous.

Not a month after the DOD CIO's office issued its implementation plan, the Defense Department's inspector general released a tough report on security holes in the Army's use of commercial mobile devices. Investigators visited West Point and Army Corps of Engineers locations and examined Android, iOS, and other commercial mobile devices in use.

The IG found they weren't covered by mobile device management (MDM) software, and weren't subject to remote wiping. Many devices were in use, yet the Army wasn't even aware of them. Hundreds were purchased by users without authorization in a sort of self-created, unofficial BYOD program.

If the DOD is going slowly in adoption of mobility devices, it's going more slowly still in BYOD. DOD IT planners realize, as everyone should, that mobility doesn't equal BYOD. Mobile devices have special -- and by now, widely understood -- requirements for becoming secure. Two of the most important:

Mobile device management. The government has been rushing headlong into mobility ever since former federal CIO Vivek Kundra pushed for it back in 2009. Devices, applications, application stores, and associated pilot projects arrived at agencies before CIO shops even thought about comprehensively managing potentially thousands or tens of thousands of devices. Not until early 2013 did the GSA begin to look for government-wide contracts for MDM and mobile application management products. Without MDM in place, it's nearly impossible to have strict configuration control, a security must-have. Now the government has gotten serious about MDM. This GSA site lists vendors with FIPS 140-2 MDM and MAM products.

Sandboxing of applications. This involves partitioning mobile devices in ways that create virtual machines on them, so that only approved apps can access certain data sources.

Image: Wikimedia Commons

It's not as if policies aren't in place to help implement mobility in Defense Department components. The IG report mentions DOD instructions (5010.40) covering internal control programs. There's also a memo that predates Takai's memo, dating back to early 2011. It has comprehensive instructions on protecting commercial mobile devices.

Policy is fragmentedIn spite of the best efforts of the DOD CIO's office, I see the policies toward mobile devices varying widely from one defense branch to next.

DOD doesn't lack for initiatives to unify policy and practice. The Defense Information Systems Agency has been designated to provide unified technology programs across the DOD and has made some headway. For example, DISA continues to strengthen its role in the Joint Information Environment (JIE), providing 1.4 million users secure access to DOD cloud email accounts. It also created an Army-Air Force enterprise license agreement for Microsoft products.

The JIE is presumably the right place to develop and manage mobility capabilities for individual defense branches and even DOD-wide. But to put it charitably, the JIE is very much a work in progress.

DOD managers can also avail themselves of mobility guidance from the National Institute of Standards and Technology and even the Office of Management and Budget. Yet nothing in the accumulated policy and technology guidance makes a strong case for advancing BYOD as a subset of a military mobility framework, much less compels it.

Contractors seeking to work in the DOD market would be wise not to oversell the idea of enabling any and all mobile devices. Despite the promises of technology, BYOD simply won't happen in the DOD, at least not in any meaningful numbers.

I know, I know. BYOD situations have broken out in a few civilian agencies. But they have different and often less dangerous security considerations. And let's not forget about the Snowden effect that's making every agency nervous about trusted people on its network.

More likely, DOD agencies will establish a choose-your-own-device plan. (Dare I coin a new term, "CYOD"?) Employees, uniformed and civilian, will select from a list of approved devices depending on the flavor each person prefers. But the devices will be government-furnished, delivered with the agency's configuration and security controls already in place.

Tim Larkins is manager of market intelligence for immixGroup, which helps technology companies do business with the government. He can be reached at tim_larkins@immixgroup.com.

Incidents of mobile malware are way up, researchers say, and 78% of respondents worry about lost or stolen devices. But while many teams are taking mobile security more seriously, 42% still skip scanning completely, and just 39% have MDM systems in place. Find out more in the State Of Mobile Security report. (Free registration required.)

Interesting take on the BYOD argument - from my perspective, there are numerous examples where technology trends have started in the social environment before moving into civil industry and then migrating into the military. Mobile apps – just one great example of a development which has been driven by consumers – are starting to have an important impact on aerospace and defense as part of several government initiatives worldwide.

Taking mobility one step further, it's interesting to see how the BYOD trend may take hold in defense in the future. Is it unacceptable for security and data control reasons, or just another inevitable trend that defense needs to embrace for the future?

I agree that many defense departments or military institutions may shy away from such a trend due to security issues, data concerns and coordination problems and therefore it's unlikely that this will take hold in defense in the short term.

Defense departments are already talking BYOD and how such policies can be implemented effectively. Take the Australian Department of Defence, for example, which has already created a BYOD plan called 'corporate owner and personally enabled' (COPE), which will be supported by a Defense app store. And Dr. Guy Bunker, renowned network defense specialist and author of ENISA's key report on cloud computing, says that BYOD is "here to stay" as a strategy for enhancing military IT usability.

So I believe the answer is yes – BYOD is likely to happen in defense, but the route for doing needs to be progressive and selective in order to ensure optimal security.

What many users don't realize is the risk they are taking when they use personal devices for work. It's really important for organizations to educate employees about the related governance and legal implications: For example, you could lose your phone or tablet if you're subpoenaed, and any embarassing personal pix intermingled with work docs will now be in lawyers' and/or law enforcement's hands.

Alison, you're right, the costs are high, in part because there's really the cost of supporting two approaches: Govt./Corp. Furnished Equipment and BYOD. The BYOD approach is supposed to save money in essentially eliminating the equipment costs, but the hidden costs remain.

Whenever I speak to CIOs or IT execs about MDM, the biggest problem they cite isn't the technology. It's price. I remember talking to the CIO of a utility company about six months ago. His company was hesitant to roll out BYOD despite executives' demands because the cost to do it securely was really high. I can't recall the number he told me and don't want to speculate, but it was a big one! After our conversation he was off to speak to one of the bigger MDM developers, primarily to haggle on cost. Until that price dropped, he was unwilling to commit, no matter how noisy execs were.

OTOH, it's hard to imagine execs will quietly comply with this edict from IT. I'd guess they'll use their personal devices to share data, access email, and do everything else they want to do. This "shadow BYOD" opens up a whole lot more security concerns -- and costs -- than even the most expensive MDM system. Are DoD employees more apt to obeying orders? I don't know.

Thanks for bringing up the HIPAA point, @Sharron. I've spoken to several hospital CIOs who are piloting or planning to pilot text messaging systems to communicate with patients -- usually to schedule appointments, remind them about medicines and tests, and share info on their conditions. Meaningful Use means more healthcare providers will have to do this and many studies show most users, including older patients, like text messages. Healthcare providers had to find secure systems and developers obviously focused on this market, knowing there was going to be a big opportunity here. No doubt some of these companies will target defense and related organizations in the future.

The big deal about a sperate device is $$$$. Why not offer a government employee a stipend at the end of the fiscal year to suplement the cost of the IT equipment and not pay for the entire cost of the IT equipment? I will answer, It would save the government money!!! And it is not just the cost of the phone but the tablet and laptop as well. Think about the cost saving that could be achieved from a total BYOD architecture.

I totally disagree with just the title of the article let alone some of the content. "BYOD In Defense Department? Not in this Lifetime" is an absurd statement! With technologies mentioned in the memo from DoD CIO such as MDM, MAS, and VDI there is a green field for integration into the DoD space. The memo also stated "As the technology matures and is proven to meet DoD security requirements for the mobility environment. DoD CIO will monitor and generate the necessary DoD implementation policies to support BYOD. In conjunction with the Digital Government Strategy, DoD will continue to evaluate BYOD options". Well the technology has matured and is certainly a possible in this lifetime. Vendors such as Air-watch (MDM/MAS), which was procured by VMware and ZenPrise (MDM/MAS) owned by CITRIX, have technologies that are geared to support a BYOD integration into the DoD space. What was unfortunately not mentioned in the article was "DATA" and the security that can be gain with the positive control on DoD data. With the technologies that I mentioned it is capable of containerizing the data on the device and having positive control of the data meaning the data can be deleted at any time. And on another note, the cost of deploying an MDM/MAS solution in DoD is taking place now with a DoD issued devices so cost is not more expensive, which was alluded to by a previous post.

The Federal Information Security Management Act creates some real challenges for BYOD implementation for government agencies and the military, but I think they can look at some of the solutions that healthcare has come up with to meet the data security challenges of the HIPAA requirements. Our hospital is a good example of this; as we are taking a HIPAA compliant texting API by Tigertext called TigerConnect, and putting it together with a secure email API and the Dropbox API to make a security app that all the staff and doctors will install on their phones and tablets to ensure HIPAA compliance and security. Government agencies may have to implement a similar program for their BYOD implementations. More info - http://developer.tigertext.com/

I hear what everyone is saying about having to have a secure device and I understand it if the intent is to process data using the stock apps for email or documents. However, most employees in the DoD and I'm sure other agencies just want access to email and don't need or want anything more on a mobile device.
I don't understand why we can't create a secure, encrypted app that runs limited, stand alone functionalities that can't interface with anything else on the phone. The app can have its own password protection to open it and an ecrypted key or a vpn connection back to the serverside. For example, an email app that does not store anything on the phone but rather on the server side only. This doesn't seem that hard.

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.